Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
An issue was discovered in Canonical Multipass for macOS before version 1.16.3 due to an incomplete fix for CVE-2025-5199. While the patch in version 1.16.0 updated the ownership of the multipassd daemon binary to root:wheel, five co-located binaries (multipass, qemu-img, qemu-system-aarch64, qemu-system-x86_64, and sshfs_server) in /Library/Application Support/com.canonical.multipass/bin/ retain ownership by the installing user and remain writable. Because the root LaunchDaemon (com.canonical.multipassd.plist) configures a PATH environment variable that prioritizes this user-writable directory and invokes these auxiliary binaries by their bare names, a local attacker can replace an auxiliary binary (such as qemu-img) with a malicious wrapper. When the root daemon subsequently triggers the binary during routine execution (e.g., via multipass launch), the malicious code executes with root privileges, leading to local privilege escalation.
AnalysisAI
Local privilege escalation in Canonical Multipass for macOS before 1.16.3 allows a low-privileged local user to obtain root execution by replacing co-located auxiliary binaries that the multipassd LaunchDaemon invokes via a user-writable PATH directory. The flaw is an incomplete remediation of CVE-2025-5199: while 1.16.0 corrected ownership of the multipassd binary itself, five sibling binaries (multipass, qemu-img, qemu-system-aarch64, qemu-system-x86_64, sshfs_server) were left owned by the installing user and writable, enabling binary planting. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Technical ContextAI
Multipass is Canonical's lightweight VM manager for macOS that ships a privileged LaunchDaemon (com.canonical.multipassd.plist) which manages QEMU-backed Ubuntu instances. The root daemon's plist defines a PATH environment that prioritizes /Library/Application Support/com.canonical.multipass/bin/ and invokes helper utilities (qemu-img, qemu-system-*, sshfs_server, multipass) by bare name rather than absolute path, so resolution of those names depends on directory contents and ownership. The root cause is CWE-276 (Incorrect Default Permissions): the installer left auxiliary executables owned and writable by the unprivileged installing user, so any code substituted at those paths is later loaded by a root-owned process - a classic write-where-root-reads trust boundary violation that the 1.16.0 fix only partially addressed by changing ownership of the daemon binary alone.
RemediationAI
Vendor-released patch: upgrade Canonical Multipass on macOS to version 1.16.3 or later, which is referenced as the fixed release in the GitHub Security Advisory at https://github.com/canonical/multipass/security/advisories/GHSA-r2xg-x32f-23c5. Until the upgrade is deployed, administrators can apply compensating controls by recursively changing ownership of /Library/Application Support/com.canonical.multipass/bin/ and its contents to root:wheel with mode 0755 so the installing user can no longer overwrite the auxiliary binaries (side effect: subsequent Multipass auto-updates or reinstalls performed under the user account may fail or revert permissions), and by unloading the LaunchDaemon with launchctl unload /Library/LaunchDaemons/com.canonical.multipassd.plist on systems where Multipass is not actively required (side effect: VM management via Multipass is disabled until reloaded). On multi-user macOS hosts, restrict interactive login to trusted accounts to reduce the local-attacker prerequisite.
The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and
An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar
Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitra
An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT
Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfi
An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' byte
Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se
A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert char
The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity w
Same weakness CWE-276 – Incorrect Default Permissions
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32900